Close Icon
We use cookies to improve your website experience. To learn about our use of cookies and how you can manage your cookie settings, please see our Cookie Policy. By continuing to use the website, you consent to our use of cookies.

TMT Intelligence is part of the Business Intelligence Division of Informa PLC

This is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

GDPR empowers customers, creates business risk

Ovum view

Summary

The General Data Protection Regulation (GDPR) now being enacted throughout the European Union gives consumers new rights and powers regarding access to and use of their personal data by businesses. While those powers are intended for individuals, they create a unique opportunity for collective action.

A new form of boycott can paralyze noncompliant businesses

Article 15 of the GDPR gives EU citizens the right to demand access to their personal data and a description of how it is being used. Upon request, the data protection officer of the company must provide an overview of the types of data being used, as well as a copy of the actual data, the purposes to which it is being put, who has access to it, and how it was acquired. This must be done within one month of receiving the request. Furthermore, Article 17 provides a right of erasure, meaning citizens can request erasure of all their personal data for a variety of reasons and can ask to never be contacted by that company again, barring a legitimate reason, such as execution of a contract.

On the individual level, these rights and requirements are harmless and work as the GDPR is intended: to provide greater control of privacy and security for EU citizens and their data. However, the legislation does not appear to consider what would happen if a large group of citizens were to coordinate their actions and make their requests at the same time. Subject data access requests cannot be ignored and are not supposed to be unduly delayed once received. The processing of these requests – a nontrivial task – can overwhelm a company's ability to comply, slowing its operations to a crawl in order to process them or subjecting them to significant fines if they fail to comply. In short, if enough people decide to act, they can effectively cripple a company, or at least some of its departments, by performing what is in effect a distributed denial-of-service attack.

Realistically speaking, it is unlikely that such a "consumer strike" will be at all common, as the effort required would probably be reserved for egregiously bad corporate behavior. There are enough cases where normal protests and boycotts have grown beyond a business's ability to tolerate, though, that such a scenario cannot be overlooked. Another consideration is that there does not appear to be any proof required on the part of the citizens that a company is using or accessing their data before they make a disclosure request, so mass actions can quickly grow to immense scope, whether they are based on legitimate complaints or not.

Recommended Articles

Over 20 of our senior Ovum analysts and consultants attended this year&rsquo;s Mobile World Congress in Barcelona at the end of February. In between meetings, briefings and presentations, our analyst team were blogging and tweeting about key developments, trends and rumors. Have a look through our daily MWC 2018 Highlights to find out what happened.

With US pay TV having endured the worst year in its history, thoughts have inevitably turned to the future. The likelihood remains that the immediate future will remain highly uncomfortable for everyone except the scaled multinational digital platforms.

Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG. VAT GB365462636. Informa UK Limited is part of Informa PLC.